didkit-cli 0.1.0

Command-line interface for Verifiable Credentials and Decentralized Identifiers.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215

# DIDKit CLI

DIDKit offers its functionality in a command-line program, `didkit`.

## Build

```sh
$ cargo build
```

## Install
```sh
$ cargo install --path .
```

## Commands

### `didkit help`

Output help about `didkit` and its subcommands.

### `didkit generate-ed25519-key`

Generate a Ed25519 keypair and output it in [JWK format](https://tools.ietf.org/html/rfc8037#appendix-A.1).

### `didkit key-to-did <method_pattern>`

Given a [JWK][] and a supported DID method name or pattern, output the corresponding DID.

### `didkit key-to-verification-method <method_pattern>`

Given a [JWK][] and a supported DID method name or pattern, output the corresponding [verificationMethod][].

#### Options

- `-k, --key-path <file>` (required, conflicts with jwk) - Filename of JWK file
- `-j, --jwk <jwk>` (required, conflicts with key-path) - JWK.

#### Supported DID method names and patterns

- `key` - [did:key][] ([Ed25519][], [P-256][] [Secp256k1][])
- `tz` - [did:tz][] ([Ed25519][], [P-256][] [Secp256k1][])
- `ethr` - [did:ethr][] ([Secp256k1][])
- `sol` - `did:sol` ([Ed25519][])
- `pkh:[…]` - `did:pkh` ([Ed25519][], [P-256][] [Secp256k1][])

### `didkit vc-issue-credential`

Issue a verifiable credential. Reads credential on stdin, constructs a [linked data proof][ld-proofs] to add to the credential, and outputs the resulting verifiable credential.

Corresponds to [/credentials/issue](https://w3c-ccg.github.io/vc-http-api/#operation/issueCredential) in [vc-http-api][].

The proof type is set automatically based on the key file provided. JWK parameters besides the cryptographic components, such as [kid][] (Key ID), are ignored currently. For an RSA key, the [alg][] (Algorithm) parameter is ignored and `RS256` is used for it, for [RsaSignature2018][].

#### Options

- `-r, --did-resolver <url>` - [DID resolver HTTP(S) endpoint][did-resolution-https-binding], used for DID resolution and DID URL dereferencing for non-built-in DID Methods. Equivalent to environmental variable `DID_RESOLVER`.
- `-k, --key-path <key>` (required, conflicts with jwk) - Filename of JWK for signing.

The following options correspond to linked data [proof options][] as specified in [ld-proofs][] and [vc-http-api][]:

- `-C, --challenge <challenge>` - [challenge][] property of the proof
- `-c, --created <created>` - [created][] property of the proof. ISO8601 datetime. Defaults to the current time.
  time.
- `-d, --domain <domain>` - [domain][] property of the proof
- `-j, --jwk <jwk>` (required, conflicts with key-path) - JWK for signing.
- `-p, --proof-purpose <proof-purpose>` [proofPurpose][] property of the proof.
- `-v, --verification-method <verification-method>` [verificationMethod][]
  property of the proof. URI for proof verification information, e.g. a public key identifier.

#### Supported [JWK key types][kty]

- `RSA`
- `OKP` (`curve`: `Ed25519`)

### `didkit vc-verify-credential`

Verify a verifiable credential. Reads verifiable credential on standard input, and outputs verification result. Returns exit status zero if credential successfully verified, or non-zero if errors were encountered.

Corresponds to [/credentials/verify](https://w3c-ccg.github.io/vc-http-api/#operation/verifyCredential) in [vc-http-api][].

#### Options

- `-r, --did-resolver <url>` - [DID resolver HTTP(S) endpoint][did-resolution-https-binding], used for DID resolution and DID URL dereferencing for non-built-in DID Methods. Equivalent to environmental variable `DID_RESOLVER`.

The following options are linked data [proof options][] as specified in [ld-proofs][] and [vc-http-api][]. If there is more than one proof present, at least one must pass all the requirements passed in the options.

- `-C, --challenge <challenge>` - The [challenge][] property of the proof must
  equal this value.
- `-c, --created <created>` - The [created][] property of the proof must be on or after the given ISO8601 datetime. Defaults to the current time. 
  time.
- `-d, --domain <domain>` - The [domain][] property of the proof must equal the
  given value.
- `-p, --proof-purpose <proof-purpose>` - The [proofPurpose][] property of the proof must equal this value.
- `-v, --verification-method <verification-method>` - The [verificationMethod][]
  property of the proof must equal this value.

#### Supported proof types

- [RsaSignature2018][]
- [Ed25519VerificationKey2018][]

#### Output

The verification result output is a `VerificationResult` JSON object as specified in [vc-http-api][]:
```json
{
  "checks": [],
  "warnings": [],
  "errors": []
}
```
Verification result properties:
- `checks` - Array of strings indicating checks completed on the credential.
- `warnings` - Array of warnings encountered during validation or verification.
- `errors` - Array of strings indicating errors encountered during validation or verification. If `errors` is empty, the credential is verified.

### `didkit vc-issue-presentation`

Issue a verifiable presentation. Reads presentation on stdin, generates proof to add to it, and outputs the resulting verifiable presentation.

Corresponds to [/credentials/prove](https://w3c-ccg.github.io/vc-http-api/#operation/provePresentation) in [vc-http-api][].

Options are the same as for [didkit vc-issue-credential](#didkit-vc-issue-credential).

### `didkit vc-verify-presentation`

Verify a verifiable presentation. Reads verifiable presentation on stdin, and outputs verification result. Returns exit status zero if presentation successfully verified, or non-zero if errors were encountered.

Corresponds to [/presentations/verify](https://w3c-ccg.github.io/vc-http-api/#operation/verifyPresentation) in [vc-http-api][].

Options and output format are the same as for [didkit vc-verify-credential](#didkit-vc-verify-credential).

### `didkit did-resolve <did>`

Resolve a DID to a DID document, according to [DID Resolution][did-resolution].

#### Options
- `-m, --with-metadata` - Return a the resolved DID document with resolution metadata and document metadata, in a [DID Resolution Result][did-resolution-result] object.
- `-i <name=value>` - A [DID Resolution input metadata][did-resolution-input-metadata] property. If `=` is omitted, boolean `true` is used as the value, otherwise, value is a string. May be repeated to add multiple properties. If used multiple times with the same `name`, the values are combined into an array value to form a single property.
- `-r, --did-resolver <url>` - [DID resolver HTTP(S) endpoint][did-resolution-https-binding], used for DID resolution and DID URL dereferencing for non-built-in DID Methods. Equivalent to environmental variable `DID_RESOLVER`.

#### Output
Returns the resolved DID document, optionally with metadata.

Without the `-m` option, a representation of the resolved DID document is returned, without document metadata or resolution metadata.

If the `-m` option is used, a DID Resolution Result is returned, which is a JSON object containing the following properties:
- `didDocument` - the resolved DID document
- `didResolutionMetadata` - [DID resolution metadata][did-resolution-metadata]
- `didDocumentMetadata` - [DID document metadata][did-document-metadata]
- `@context` - JSON-LD context, if using JSON-LD representation.

Exit status is zero on success, and nonzero on failure. On failure, a DID Resolution Result object may still be returned on standard output if the `-m` option is used, where the `error` property of the DID resolution metadata object is set to the error message. If `-m` is not used, the error message is returned on standnard error.

### `didkit did-dereference <did-url>`

Dereference a DID URL to a resource, as in [did-core - DID URL Dereferencing][did-url-dereferencing].

#### Options
- `-m, --with-metadata` - Return the resulting resource with resolution metadata and document metadata, in a [DID Resolution Result][did-resolution-result] object.
- `-i <name=value>` - A [DID URL Dereferencing input metadata][did-url-dereferencing-input-metadata] property. If `=` is omitted, boolean `true` is used as the value, otherwise, value is a string. May be repeated to add multiple properties. If used multiple times with the same `name`, the values are combined into an array value to form a single property.
- `-r, --did-resolver <url>` - [DID resolver HTTP(S) endpoint][did-resolution-https-binding], used for DID resolution and DID URL dereferencing for non-built-in DID Methods. Equivalent to environmental variable `DID_RESOLVER`.

#### Output
Returns the resource dereferenced from the DID URL, optionally with metadata.

Without the `-m` option, the content resulting from dereferencing is returned, without content metadata or dereferencing metadata.

If the `-m` option is used, a JSON array is returned containing the following three objects:
- The resolved DID document or other resource corresponding to the dereferenced DID URL
- [DID dereferencing metadata][did-url-dereferencing-metadata] or [DID resolution metadata][did-resolution-metadata]
- Content metadata or [DID document metadata][did-document-metadata]

Exit status is zero on success and nonzero on error. On error, if `-m` is used, the error message is returned in the `error` property of the DID dereferencing metadata object on standard output; if `-m` is not used, the error is printed on standard error.

## Examples

See the included [shell script](tests/example.sh).

[JWK]: https://tools.ietf.org/html/rfc7517
[ld-proofs]: https://w3c-ccg.github.io/ld-proofs/
[vc-http-api]: https://w3c-ccg.github.io/vc-http-api/
[RsaSignature2018]: https://w3c-ccg.github.io/lds-rsa2018/
[Ed25519VerificationKey2018]: https://w3c-ccg.github.io/lds-ed25519-2018/
[Ed25519]: https://tools.ietf.org/html/rfc8037#appendix-A.2
[P-256]: https://tools.ietf.org/html/rfc7518#section-6.2.1.1
[Secp256k1]: https://tools.ietf.org/html/rfc8812#section-3.1

[did:key]: https://w3c-ccg.github.io/did-method-key/
[did:web]: https://w3c-ccg.github.io/did-method-web/
[did:tz]: https://did-tezos.spruceid.com/
[did:ethr]: https://github.com/decentralized-identity/ethr-did-resolver/blob/master/doc/did-method-spec.md

[proof options]: https://w3c-ccg.github.io/ld-proofs/#dfn-proof-options
[ld-proofs-overview]: https://w3c-ccg.github.io/ld-proofs/#linked-data-proof-overview

[created]: https://w3c-ccg.github.io/security-vocab/#created
[proofPurpose]: https://w3c-ccg.github.io/security-vocab/#proofPurpose
[created]: https://www.dublincore.org/specifications/dublin-core/dcmi-terms/terms/created/
[challenge]: https://w3c-ccg.github.io/security-vocab/#challenge
[domain]: https://w3c-ccg.github.io/security-vocab/#domain
[verificationMethod]: https://w3c-ccg.github.io/security-vocab/#verificationMethod
[kty]: https://tools.ietf.org/html/rfc7517#section-4.1
[kid]: https://tools.ietf.org/html/rfc7517#section-4.5
[alg]: https://tools.ietf.org/html/rfc7517#section-4.4
[did-resolution]: https://w3c-ccg.github.io/did-resolution/
[did-resolution-input-metadata]: https://w3c.github.io/did-core/#did-resolution-input-metadata-properties
[did-resolution-metadata]: https://w3c.github.io/did-core/#did-resolution-metadata-properties
[did-document-metadata]: https://w3c.github.io/did-core/#did-document-metadata-properties
[did-resolution-result]: https://w3c-ccg.github.io/did-resolution/#did-resolution-result
[did-url-dereferencing]: https://w3c.github.io/did-core/#did-url-dereferencing
[did-url-dereferencing-metadata]: https://w3c.github.io/did-core/#did-url-dereferencing-metadata-properties
[did-url-dereferencing-input-metadata]: https://w3c.github.io/did-core/#did-url-dereferencing-input-metadata-properties
[did-resolution-https-binding]: https://w3c-ccg.github.io/did-resolution/#bindings-https